From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Andrei Borzenkov <arvidjaar@gmail.com>

Date: Wed, 16 May 2018 13:06:04 -0400

Subject: [PATCH] efi/uga: use 64 bit for fb_base

We get 64 bit from PCI BAR but then truncate by assigning to 32 bit.

Make sure to check that pointer does not overflow on 32 bit platform.

Closes: 50931

---

 grub-core/video/efi_uga.c | 31 ++++++++++++++++---------------

 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/grub-core/video/efi_uga.c b/grub-core/video/efi_uga.c

index 044af1d20d3..97a607c01a5 100644

--- a/grub-core/video/efi_uga.c

+++ b/grub-core/video/efi_uga.c

@@ -34,7 +34,7 @@ GRUB_MOD_LICENSE ("GPLv3+");

 static grub_efi_guid_t uga_draw_guid = GRUB_EFI_UGA_DRAW_GUID;

 static struct grub_efi_uga_draw_protocol *uga;

-static grub_uint32_t uga_fb;

+static grub_uint64_t uga_fb;

 static grub_uint32_t uga_pitch;

 static struct

@@ -52,7 +52,7 @@ static struct

 #define FBTEST_COUNT	8

 static int

-find_line_len (grub_uint32_t *fb_base, grub_uint32_t *line_len)

+find_line_len (grub_uint64_t *fb_base, grub_uint32_t *line_len)

 {

   grub_uint32_t *base = (grub_uint32_t *) (grub_addr_t) *fb_base;

   int i;

@@ -67,7 +67,7 @@ find_line_len (grub_uint32_t *fb_base, grub_uint32_t *line_len)

 	    {

 	      if ((base[j] & RGB_MASK) == RGB_MAGIC)

 		{

-		  *fb_base = (grub_uint32_t) (grub_addr_t) base;

+		  *fb_base = (grub_uint64_t) (grub_addr_t) base;

 		  *line_len = j << 2;

 		  return 1;

@@ -84,7 +84,7 @@ find_line_len (grub_uint32_t *fb_base, grub_uint32_t *line_len)

 /* Context for find_framebuf.  */

 struct find_framebuf_ctx

 {

-  grub_uint32_t *fb_base;

+  grub_uint64_t *fb_base;

   grub_uint32_t *line_len;

   int found;

 };

@@ -129,7 +129,9 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)

 	      if (i == 5)

 		break;

-	      old_bar2 = grub_pci_read (addr + 4);

+	      i++;

+	      addr += 4;

+	      old_bar2 = grub_pci_read (addr);

 	    }

 	  else

 	    old_bar2 = 0;

@@ -138,10 +140,15 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)

 	  base64 <<= 32;

 	  base64 |= (old_bar1 & GRUB_PCI_ADDR_MEM_MASK);

-	  grub_dprintf ("fb", "%s(%d): 0x%llx\n",

+	  grub_dprintf ("fb", "%s(%d): 0x%" PRIxGRUB_UINT64_T "\n",

 			((old_bar1 & GRUB_PCI_ADDR_MEM_PREFETCH) ?

-			"VMEM" : "MMIO"), i,

-		       (unsigned long long) base64);

+			"VMEM" : "MMIO"), type == GRUB_PCI_ADDR_MEM_TYPE_64 ? i - 1 : i,

+			base64);

+

+#if GRUB_CPU_SIZEOF_VOID_P == 4

+	  if (old_bar2)

+	    continue;

+#endif

 	  if ((old_bar1 & GRUB_PCI_ADDR_MEM_PREFETCH) && (! ctx->found))

 	    {

@@ -149,12 +156,6 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)

 	      if (find_line_len (ctx->fb_base, ctx->line_len))

 		ctx->found++;

 	    }

-

-	  if (type == GRUB_PCI_ADDR_MEM_TYPE_64)

-	    {

-	      i++;

-	      addr += 4;

-	    }

 	}

     }

@@ -162,7 +163,7 @@ find_card (grub_pci_device_t dev, grub_pci_id_t pciid, void *data)

 }

 static int

-find_framebuf (grub_uint32_t *fb_base, grub_uint32_t *line_len)

+find_framebuf (grub_uint64_t *fb_base, grub_uint32_t *line_len)

 {

   struct find_framebuf_ctx ctx = {

     .fb_base = fb_base,